I'm using Firebase in a side project that requires authentication using Facebook, Twitter, Google and Twitch. Unfortunately, Firebase Auth doesn't support authentication using Twitch out of the box. I would like to know the best approach to solve the problem: can I use Firebase Auth & a Custom Auth system only for Twitch?
Firebase supports signing in with any provider, as long as you are willing to write the code for it. The process is pretty well documented in a page called creating custom tokens.
If you're looking for samples for other providers, have a look at the functions-samples repo, which contains a.o. samples for signing in with LinkedIn, Okta, and Spotify.
Related
There is plenty of tutorials and articles on this precise question but each one contradict the previous one,
I'm trying to make a signup and login reactJs pages with Firebase js sdk on the frontend, that's what I found most of youtubers devs do,
And then I found that is not secure (doing the authentication on client side).
You should use the Firebase Admin SDK (firebase.google.com/docs/admin/setup) on Firebase Cloud Functions or a self-hosted server in that case. Everything else would just be a dirty hack – PRSHL source
It's not recommended to create admin accounts on the front end as anyone could look into the code and action it themselves. source
I really want to understand if it is not secure to use it on the client side, Why does firebase provided it in the first place ?? or is there another way to properly write the auth using firebase js sdk on the frontend ? of course without using admin sdk
Or should I use firebase js sdk on the backend with express ?
I only want clear and detailed answers please !!
My best guess is that you're confused between authenticating a user client-side and the fact that Firebase provides a client-side SDK for authenticating users.
Though all you have to do to use Firebase Authentication in your app is implement its client-side SDK, there are many more parts involved in the process - and quite a few of them run on secured servers.
It's just that Firebase (and the authentication providers it supports) have implemented the server-side of the authentication process for you already and made the variables parts of the process part of the configuration that you provide either in the Firebase console, the provider's web interface, and/or in the configuration that you specify when you initialize the Firebase SDK in your client-side application code.
From the comments you now added, the second is correct and explains exactly what the risk is:
It's not recommended to create admin accounts on the front end as anyone could look into the code and action it themselves.
So while you can safely create a user account on the client (a process known as authentication), marking them as an admin (a process known as authorization) has to happen in a trusted environment as otherwise any user could make themselves an admin.
I am trying to implement sso with firebase authentication and i am trying to use without using third party like okta and wanted to know is it any workaround with this.basically the use case like this
A client wanted to build a custom SSO solution and had already chosen Firebase, based on Google’s promise to rollout SSO support in the future. The client did not want migration to any other SSO provider like Auth0 or Identity Server, or to deal with user-password migration and potential related issues. They preferred instead to use a temporary, custom solution that would store user’s passwords in Firebase Authentication.
The client had several customer portals based on WordPress Customer Relationship Management (CRM) and an existing list of users in Firebase Authentication. Each time users visited a new portal, credentials were required, and again when users followed a link from one portal to another. It was not always obvious for users that the same credentials should be used for different portals.
By default, Firebase keeps authentication context for one domain but doesn’t provide seamless SSO integration between different domains. To provide this functionality, SoftServe determined that a new Firebase service should be implemented.
What are the differences between signInWithPopup vs linkWithPopup in firebase? From the API reference, I can barely get anything useful regarding the differences.
They are completely different operations.
signInWithPopup is for signing in an existing user through an authentication provider that can use popup windows to handle the interactions with the user. The alternative with signInWithRedirect, which does not use a popup.
linkWithPopup is for linking additional authentication providers to an existing Firebase auth account using a popup window. The alternative is linkWithRedirect, which does not use a popup.
I suggest reading through the documentation for signing in users (Google, Facebook), and linking additional accounts.
I'd like to make a small web app using only client side javascript, that is publicly available on GitHub and hosted via GitHub Pages, that renders information about the different repositories of an organization on GitHub.
Is this possible to do in such a way that:
allows me to authenticate with GitHub without compromising a secret key,
allows me to query GitHub's new graphql api?
In both cases, the docs seem to suggest that the answer to my questions are "no" and "no":
for example, the authentication docs emphasize how to authenticate on the CLI, but I don't find anything on authenticating from a web page via javascript -- is there really no way to do this securely from only the client? Is a server required for this?
for example, the api v4 docs seem to only mention how to call the graphql endpoint via cURL or by using their GraphQL Explorer
I'm seeking guidance here in the hopes that I'm misreading the docs, and that there really is a way to:
build a static-site that authenticates with GitHub for the increased query rate limit size,
and that, when a user visits the page, queries the v4 api and displays the appropriate information about the current status of the various repos of an organization.
I ignored the documentation and just submitted a POST with a Basic Authorization header. It seemed to work. I found the other issue. Github wants a User-Agent header. If you are running in a browser that happens automatically, but if you are not you need to add it yourself. Github documents what should be in it, but apparently does not validate it.
Hi I'm wondering how to configure the passport-twitter npm package to allow authenticated users to post tweets from the app I'm currently building, using their own twitter account.
Also, are their node packages that are more suited to using twitter functionality that requires access tokens? Like this?
https://www.npmjs.com/package/passport-twitter-token
passport is only for oauth, i.e to signup/signin via strategy like twitter. its not to use the twitter API as whole.
However on signup/signin you can use the token , to communicate with twitter independently. If you go out for third party modules, then I doubt you will not find one which smoothly co-exist with passport. they may have their own handles.
For facebook strategy I did the same. I have not used any third party module. instead I directly called facebook Graph API using http request and passed the same token which passport has given me and I was successfully able to post stories on facebook wall using that token.